Best Practices for Windows Log Collection in Large DHCP Environment

I am currently in the process of trying to perform Windows Log Collection in a large DHCP environment. The customer has stated that the environment is so large and that providing workstation hostnames would be impossible and unmanageable.

My main question is this: How do I perform log collection in a large DHCP Windows environment WITHOUT having to create a data source for each of the hosts I want to collect from?

The only deployment option that I feel is viable at this point is log collection from the Domain Controller and then collect AV logs from their solution (not ePO). Which they say is not ideal.

The agent/collector does not seem like a viable option anyways because while I could globally push the agent to each host, I would still need to create a data source for each host.

Any ideas are greatly appreciated because I am running out of ideas. Thanks.

Re: Best Practices for Windows Log Collection in Large DHCP Environment

Configure the Event Source systems to forward events to the WEF Event Collector.

Install the Agent on the WEF Event Collector.

Add a single host, and for Host Name/IP, add the Event Collector IP address.

Create a Configuration. Select Windows Event Log and name the configuration.

Select Forward Event in the Windows Event area.

NOTE: WEF can forward to logs other than Forwarded Events. Forwarded Events is the default.

6. At this point, you have two choices:

Select WEF - if you require the granularity of a data source-per-Event-Source, check the WEF box.

Do not select the WEF - if you have many Event Sources (for instance, Event Forwarding can be configured as part of a Domain group policy, and doing so can make it less obvious how many Event Sources are actually forwarding events), then having a data source for each Event Source might prove difficult. In this case, leave WEF deselected. This way, all events are collated under the Agent data source.

Re: Best Practices for Windows Log Collection in Large DHCP Environment

I do not have the exact answer to your question, but I will try to give some ideas in order to help you.

First, if the customer has ePO, you can deploy the McAffee SIEM Agent automatically to each workstations.

I currently do not know if it is possible to configure the agent's hostid parameter to reflect the workstation name through ePO.

Then you can use the autolearning feature with an automatic rule to add each of the datasources to your SIEM. For example, you can use such variable as HOST, IP, MODEL inside the name to reflect the same name you put in ePO.

Re: Best Practices for Windows Log Collection in Large DHCP Environment

Thank you for the response. Unfortunately, the customer does not use ePO. I wish they did though. However, I believe that the agent can be pushed to each host via other endpoint protection, it would just be a custom package that I would have to build.

You could you expand on your idea for using an automatic rule to add data sources? From my understanding, auto-learn capabilities were based on IP. Since this is a DHCP environment, I'm not sure we could rely on this option but I still like to hear your thoughts - maybe I am missing something.

Re: Best Practices for Windows Log Collection in Large DHCP Environment

Configure the Event Source systems to forward events to the WEF Event Collector.

Install the Agent on the WEF Event Collector.

Add a single host, and for Host Name/IP, add the Event Collector IP address.

Create a Configuration. Select Windows Event Log and name the configuration.

Select Forward Event in the Windows Event area.

NOTE: WEF can forward to logs other than Forwarded Events. Forwarded Events is the default.

6. At this point, you have two choices:

Select WEF - if you require the granularity of a data source-per-Event-Source, check the WEF box.

Do not select the WEF - if you have many Event Sources (for instance, Event Forwarding can be configured as part of a Domain group policy, and doing so can make it less obvious how many Event Sources are actually forwarding events), then having a data source for each Event Source might prove difficult. In this case, leave WEF deselected. This way, all events are collated under the Agent data source.

Re: Best Practices for Windows Log Collection in Large DHCP Environment

Now you got me cooking with fire. I have opened a ticket with Support to further discuss this option. My previous support ticket into this type of log collection did not detail this type of collection. This might be the perfect option.

Thank you for response! I will update this thread with further details in case future engineer run into this dilemma! Cheers!